March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation (

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
Encrypting Wireless Data with VPN Techniques
Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
Version 1 of EAP-TTLS draft-ietf-pppext-eap-ttls-05.txt Paul Funk Funk Software.
Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
IEEE Wireless Local Area Networks (WLAN’s).
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
WIRELESS LAN SECURITY Using
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Eugene Chang EMU WG, IETF 70
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),
All Rights Reserved © Alcatel-Lucent 2007, ##### 1 | Presentation Title | January 2007 UMB Security Evolution Proposal Abstract: This contribution proposes.
EAP-based Mediating Network Selection Copyright © 2003, The Internet Society Farid Adrangi Intel Corporation ( ) ACKNOWLEDGEMENTS:
EAP-FAST Version 2 draft-zhou-emu-eap-fastv2-00.txt Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna March 2011.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.
Nov 10, EAP-based Mediating Network Discovery and Selection Copyright © 2003, The Internet Society Farid Adrangi Intel Corporation (
1 Extensible Authentication Protocol (EAP) Working Group IETF-57.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-05.txt Bernard Aboba Microsoft IETF 62, Minneapolis, MN.
Port Based Network Access Control
November 18, 2002 IETF #55, ATLANTA1 Problem with Compound Authentication Methods Jesse Walker Intel Corporation (
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Jari Arkko, Henry Haverinen, Joseph Salowey (presented by Pasi Eronen)
Discussions on FILS Authentication
SECURING WIRELESS LANS WITH CERTIFICATE SERVICES
PEKM (Post-EAP Key Management Protocol)
My name is Pascal Urien, ENST
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
Security Activities in IETF in support of Mobile IP
Presentation transcript:

March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation ( ) ACKNOWLEDGEMENTS: ASHWIN PALEKAR, DAN SIMON, BERNARD ABOBA – MICROSOFT VICTOR LORTZ, FARID ADRANGI, JESSE WALKER - INTEL CORPORATION N.ASOKAN, KAISA NYBERG, VALTTERI NIEMI, HENRY HAVERINEN - NOKIA JOE SALOWEY, NANCY CAM-WINGET – CISCO, JARI ARKKO – ERICSSON MOHAN PARTHASARATHY – TAHOE NETWORKS Copyright © 2003, The Internet Society

March 17, 2003 IETF #56, SAN FRANCISCO2 Agenda Compound Methods Motivation Problem Summary Solutions Conclusion/Next Steps

March 17, 2003 IETF #56, SAN FRANCISCO3 Compound Methods Definition: Multiple authentication methods used in concert for a single purpose –Tunneled methods –Sequenced methods Typical Purposes –Network access authentication & authorization –Security Association establishment for protecting data traffic –Service access authentication & authorization –…

March 17, 2003 IETF #56, SAN FRANCISCO4 Motivation for Compound Methods using Tunnels Securing legacy methods in new environments Ease of deployment for securing legacy methods Providing consistent security properties and other features for different methods Securing multiple credentials in sequences

March 17, 2003 IETF #56, SAN FRANCISCO5 Problem = Man-in-the-Middle Attacks Focus is on Compound Tunneled Methods that support –single inner method –sequence of inner methods Non-tunneled Compound Sequences are also potentially vulnerable but not addressed –problem space unbounded? further study needed

March 17, 2003 IETF #56, SAN FRANCISCO6 Example WLAN Attack Scenario EAP/Identity Request EAP/Identity Response Tunnel establishment EAP/Identity Request EAP/Identity Response (user EAP/ Request / Method Challenge EAP/Response/ Method Response EAP/ Success EAP-Method in Tunnel WLAN Session Stolen Tunnel Keys ClientMitM Home AAA Server Tunnel Server AP Inner EAP Method Keys Derived & Not used Tunnel Keys Derived Inner Method Keys Derived

March 17, 2003 IETF #56, SAN FRANCISCO7 Problem Conditions Dual role man-in-the-middle attacker (rogue authenticator + rogue supplicant) Credential and authentication method re- use with and without tunnels Use of one-way server authenticated tunnel Use of tunnel session keys alone and no inner method session keys All conditions have to be true for the attack

March 17, 2003 IETF #56, SAN FRANCISCO8 Solution Requirements Fixes to existing EAP methods not ok Fixes to new EAP methods maybe ok Fixes to Tunnel methods ok Should work for different tunnel termination models Should not bring new requirements for other protocols (eg. RADIUS ) Forward Evolution for protocols with fix Backwards compatibility for fixed protocols Simplicity for fix (low compute costs & roundtrips) Upgraded EAP Base protocol maybe ok

March 17, 2003 IETF #56, SAN FRANCISCO9 Solution Concepts All methods –Use separate credentials inside and outside tunnels –Use methods inside tunnels always Key deriving methods –Can use cryptographic binding Binding can provide stronger authentication & session keys Avoids policy synchronization issues Preserves deployment convenience of one-way authenticated tunnels

March 17, 2003 IETF #56, SAN FRANCISCO10 Solution Mechanisms Recommended Policy restrictions –For non-key deriving methods client & server policy Use separate credentials inside/outside tunnels Use methods inside tunnels always Cryptographic Binding –Compound Keyed MACs Keyed MACs computed from safe one-way derivation from keys of all inner methods and tunnel method Additional mutual authentication round trip (binding phase exchange) with keyed MACs –Compound Session Keys Bound Key derived using safe one-way derivation from keys of all inner methods and tunnel method

March 17, 2003 IETF #56, SAN FRANCISCO11 Binding Phase Exchange with Compound Keyed MACs Binding Request B1 Binding Response B2 [VERSION,S_NONCE,……….. B1_MAC] [VERSION,C_NONCE,……….. B2_MAC] CMK_B1 (B1_MAC Key) Compound MAC Key Derivation S_NONCE TSK ISK1….ISKn Compound MAC Key Derivation S_NONCE C_NONCE TSK ISK1….ISKn CMK_B2 (B2_MAC Key) TSK = Tunnel Session Keys ISKi = Inner Session Keys for each method ‘i’ where i = 1..n C_NONCE = 256 bit random number derived on client S_NONCE = 256 bit random number derived on server Note: Sufficiency of 2-way handshake is based on binding using fresh session keys

March 17, 2003 IETF #56, SAN FRANCISCO12 Thwarting the attack with binding EAP/Identity Request EAP/Identity Response TLS Session establishment EAP/Identity Request EAP/Identity Response (user EAP/ Request / Method Challenge EAP/Response/ Method Response EAP/ Success EAP-Method in TLS Protected Session No Keys Sent ClientMitM Home AAA Server Tunnel Server AP Inner EAP Method KeysBinding Request B1 (B1 MAC) Binding Response B2 (B2 MAC) Attack Detected No WLAN Access Crypto Binding Inner EAP Method Keys Tunnel Keys Derived Binding Phase Exchange Crypto Binding

March 17, 2003 IETF #56, SAN FRANCISCO13 Solution Approaches Add Binding Phase to EAP base protocol or Tunnel Protocol –Already need for protected success/failure indication identified –Binding Phase exchange can also include the protected success/failure indication –Method Key export interface available –Cryptographic binding can give stronger keys Add Policy rules to Client and Server –Provides fix for non-key deriving methods

March 17, 2003 IETF #56, SAN FRANCISCO14 Conclusion/Next Steps Conclusion –Request approval for draft as EAP working group item Next Steps –Close on some of the outstanding Issues on EAP Issues list –Catalog new issues from comments on mailing list

March 17, 2003 IETF #56, SAN FRANCISCO15 References “Compound Authentication Binding Problem”, Puthenkulam, J., Lortz, V., Palekar, A., Simon, D., puthenkulam-eap-binding-02.txthttp:// puthenkulam-eap-binding-02.txt “Man-in-the-Middle in Tunnelled Authentication Protocols”, Asokan, N.,Niemi, V., Nyberg, K.,

March 17, 2003 IETF #56, SAN FRANCISCO16 Backup

March 17, 2003 IETF #56, SAN FRANCISCO17 Tunneled Methods Generic Model Terminology Tunnel endpoint is authentication ”agent” Authentication protocol endpoint is authentication ”server” ”Front-end” authenticator is end of access link to be authenticated Agent and Server may be co-located ClientAuthenticationAgentAuthenticationServer Stage 1: Tunnel Method Server authenticated for secure tunnel establishment Stage 2: Client Authentication Method Performs Client/User Authentication secure tunnel Front-endauthenticator Ciphered Link Tunnel Keys

March 17, 2003 IETF #56, SAN FRANCISCO18 Sequenced Methods Generic Model ClientAuthentication Agent 1 Authentication Agent 2 Protocol Sequence 1 Client AND/OR Server Authentication Protocol Sequence 2 Client AND/OR Server Authentication Front-endauthenticatorAuthenticationServer Protocol Sequence N Client AND/OR Server Authentication …. … Session Keys (Which method ?) Ciphered Link Terminology ”Front-end” authenticator is end of access link to be authenticated Intermediate endpoint in sequence is an authentication ”agent” Final authentication endpoint is authentication ”server” Agents and Server may be co-located.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.